NFA Members Should Prepare for Onerous New Breach Notification Requirements

On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect. These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers. They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.” These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).

Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:

any loss of customer or counterparty funds;

any loss of an NFA Member’s own capital; or

the NFA Member providing notice to customers or counterparties under state or federal law.

It is that last scenario, the so-called “piggyback rule,” that creates a very significant and often difficult to assess notification obligation, because there are now separate breach notification laws in all 50 U.S. states, as well as the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. There are also dozens of additional data breach notice obligations under various industry-specific state and federal laws, and these dozens of different laws are far from uniform. Indeed, they differ in several ways, including:

what formats of data are covered (e.g., electronic or physical);

what kinds of data are covered (e.g., personal information or business secrets);

what constitutes personal information;

what the trigger is for notification (e.g., unauthorized access to the data or rendering the data unavailable); and

NFA Members will, however, need to stay abreast of all of their various U.S. state and federal breach notification obligations, because of the piggy-back provision. As such, NFA Members should consider training and practice drills to ensure that they are able to meet these new notification obligations within a reasonable time period.

The Davis Polk Cyber Portal is available to Davis Polk clients to help them meet their cyber-related regulatory obligations, including the new NFA obligations. The Portal contains a query-based database of breach notification laws that allow Davis Polk clients to assess their breach notification obligations in a matter of minutes. If you have questions about the Portal, click on “Request access” in the top right corner at www.dpwcyberportal.com.

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Attorney Advertising. Prior results do not guarantee a similar outcome.

Disclaimer

dpwcyberblog.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of dpwcyberblog.com and its component parts, Davis Polk is acting as an information provider.

dpwcyberblog.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. Davis Polk & Wardwell LLP shall not be liable for any loss that may arise from any reliance on dpwcyberblog.com or its component parts. If you have any comments or questions, please contact cyberblog@davispolk.com